Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Malware/Browser Hijack

  1. #1
    Junior Member
    Join Date
    Mar 2011
    Posts
    10

    Default Malware/Browser Hijack

    Windows XP SP 3

    Clicks on Google searches get redirected to other search sites and the Spybot executable doesn't run unless I rename it - even in safe mode. I have AVG Free installed but the control panel won't let me uninstall it. I'm guessing that something is killing the uninstall process just like when SpyBot is started.

    I have run several AVG and Spybot scans as well as Malware-bytes Anti-Malware and removed some of the worst offenders.

    Thanks for your help.

    DDS Log:
    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by J at 11:45:18.26 on Tue 03/22/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.473 [GMT -5:00]
    .
    AV: AVG Anti-Virus Free Edition 2011 *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    ============== Running Processes ===============
    .
    C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\AVG\AVG10\avgnsx.exe
    C:\Program Files\AVG\AVG10\avgemcx.exe
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\PROGRA~1\AVG\AVG10\avgrsx.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\stsystra.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Documents and Settings\J\My Documents\Downloads\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
    mSearchAssistant =
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {399C60D2-38B1-4E25-B9E7-6498C1BC2DCD} - No File
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {CE0C2586-DA36-452B-ACDB-320D9BCB19BF} - No File
    TB: {D0523BB4-21E7-11DD-9AB7-415B56D89593} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}
    IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1224210243328
    DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
    TCP: {765C18A5-C191-4DBC-8A3D-878975069E64} = 192.168.1.254
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\docume~1\j\applic~1\mozilla\firefox\profiles\645nbkj0.default\
    FF - component: c:\documents and settings\j\application data\mozilla\firefox\profiles\645nbkj0.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
    FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
    FF - plugin: c:\documents and settings\all users\application data\realarcade\npraclient.dll
    FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
    FF - plugin: c:\documents and settings\j\application data\mozilla\firefox\profiles\645nbkj0.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
    FF - plugin: c:\program files\free ride games\npExentCtl.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPAskSBr.dll
    FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
    FF - Ext: RealArcade V3.1 Plugin: npmozax31@real.com - c:\program files\mozilla firefox\extensions\npmozax31@real.com
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - Ext: Seekeen: {DB390D2E-0FB4-413F-B039-AE342D1D40BA} - c:\program files\mozilla firefox\extensions\{DB390D2E-0FB4-413F-B039-AE342D1D40BA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: XULRunner: {1C3B3158-DAB3-4DA1-BCB8-2B1436074CC6} - c:\documents and settings\joanne\local settings\application data\{1C3B3158-DAB3-4DA1-BCB8-2B1436074CC6}
    FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
    R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    R2 X4HS32Ex;X4HS32Ex;c:\program files\free ride games\X4HS32Ex.sys [2010-3-15 53280]
    R2 X4HSEx;X4HSEx;c:\program files\free ride games\X4HSEx.sys [2010-4-16 56352]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 26192]
    S2 gupdate1c9b6296af48476;Google Update Service (gupdate1c9b6296af48476);c:\program files\google\update\GoogleUpdate.exe [2009-4-5 133104]
    S4 SeekeenSrch Service;SeekeenSrch Service;"c:\documents and settings\all users\application data\seekeensrch\seekeen155.exe" "c:\program files\seekeensrch\seekeen.dll" service --> c:\documents and settings\all users\application data\seekeensrch\seekeen155.exe [?]
    .
    =============== Created Last 30 ================
    .
    .
    ==================== Find3M ====================
    .
    2010-08-10 02:17:50 464 ----a-w- c:\program files\0809201021175065.bat
    2010-04-15 02:20:24 458 ----a-w- c:\program files\0414201021202447.bat
    2010-04-15 02:19:27 453 ----a-w- c:\program files\0414201021192699.bat
    2010-04-03 20:36:04 469 ----a-w- c:\program files\0403201015360422.bat
    2010-03-18 12:42:55 455 ----a-w- c:\program files\031820107425510.bat
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: Intel___ rev.1.0. -> Harddisk0\DR0 -> \Device\Ide\iaStor0
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8670CEC5]<<
    _asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x8462f872; SUB DWORD [EBP-0x4], 0x8462f12e; PUSH EDI; CALL 0xffffffffffffdf33; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86789AB8]
    3 CLASSPNP[0xF7652FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x867DF350]
    [0x85DC9F38] -> IRP_MJ_CREATE -> 0x8670CEC5
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskARRAY1.0.00__#4&295c5a3a&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\iaStor DriverStartIo -> 0x8670CAEA
    user & kernel MBR OK
    sectors 312494078 (+255): user != kernel
    Warning: possible TDL3 rootkit infection !
    .
    ============= FINISH: 11:46:55.76 ===============

  2. #2
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Hi iamsam,

    Welcome to Safer Networking. My name is Blottedisk and I will be helping you with your malware issues.


    • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Thread Tools box to the top right of your topic title and then choosing Suscribe to this Thread (then choose Instant Notification by email). If the button says Unsuscribe from this Thread, then you are already subscribed.
    • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.


    The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then the thread will be locked due to inactivity. However, if you will be away, let us know and we will be sure to keep the thread open.


    Please follow these steps in order:


    Step 1 | Please download GMER from one of the following locations and save it to your desktop:

    Main Mirror - This version will download a randomly named file (Recommended)
    Zipped Mirror - This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

    --------------------------------------------------------------------

    • Disconnect from the Internet and close all running programs.
    • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
    • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.


    Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.



    • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
    • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
    • Make sure all options are checked except:
      • IAT/EAT
      • Drives/Partition other than Systemdrive, which is typically C:\
      • Show All (This is important, so do not miss it.)



    Click the image to enlarge it

    • Now click the Scan button. If you see a rootkit warning window, click OK.
    • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
    • Click the Copy button and paste the results into your next reply.
    • Exit GMER and re-enable all active protection when done.

    -- If you encounter any problems, try running GMER in Safe Mode.


    Step 2 | This next program is needed to remove the main infection in your system. However...AVG incorrectly targets ComboFix's embedded files. ComboFix will not run with AVG installed. Please uninstall AVG before continuing. You can reinstall it, or another antivirus such as Avira or avast!, after we've used ComboFix to clear the remaining infection.

    After uninstalling AVG from the Control Panel, also run the AVG remover from their site.

    http://www.avg.com/us-en/download-tools

    direct link to the AVG Remover:

    http://download.avg.com/filedir/util..._2011_1149.exe

    You may also use this tool to uninstall AVG:
    http://www.appremover.com/appremover/avg/AppRemover.exe

    Instructions:
    http://www.appremover.com/about/using-appremover.html


    After uninstalling AVG, download Combofix from any of the links below, rename it to and save it to your desktop.

    Link 1
    Link 2

    --------------------------------------------------------------------

    • Double click on Combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.


    If you need help, see this link:
    http://www.bleepingcomputer.com/comb...o-use-combofix
    -- WTT Classroom Graduate --
    -- ASAP Member --
    -- UNITE Trained Eliminator --

  3. #3
    Junior Member
    Join Date
    Mar 2011
    Posts
    10

    Default GMER and Combofix logs

    GMER:
    GMER 1.0.15.15570 - http://www.gmer.net
    Rootkit scan 2011-03-22 20:20:50
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\iaStor0 Intel___ rev.1.0.
    Running: qxmkmllz.exe; Driver: C:\DOCUME~1\J\LOCALS~1\Temp\ugtdypog.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xF76D46C0]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xF76D4770]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xF76D4810]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xF76D48B0]

    ---- Kernel code sections - GMER 1.0.15 ----

    .rsrc C:\WINDOWS\system32\drivers\pciide.sys entry point in ".rsrc" section [0xF7BDA814]
    init C:\WINDOWS\system32\drivers\sigfilt.sys entry point in "init" section [0xEDE00F80]

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \FileSystem\Fastfat \Fat AD0AFD20

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

    Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)
    Device \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskARRAY1.0.00__#4&295c5a3a&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1
    Reg HKLM\SOFTWARE\Classes\CLSID\{1830703E-16FA-AF27-4198-5871D9F7105F}\InprocServer32@ C:\Program Files\Common Files\System\ado\msado15.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{1830703E-16FA-AF27-4198-5871D9F7105F}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{1830703E-16FA-AF27-4198-5871D9F7105F}\ProgID@ ADODB.Connection.2.8
    Reg HKLM\SOFTWARE\Classes\CLSID\{1830703E-16FA-AF27-4198-5871D9F7105F}\VersionIndependentProgID@ ADODB.Connection
    Reg HKLM\SOFTWARE\Classes\CLSID\{2B84ADD1-0082-CC00-40DE-0ED6DEEFC743}\InProcServer32@ C:\WINDOWS\system32\oleacc.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{2B84ADD1-0082-CC00-40DE-0ED6DEEFC743}\InProcServer32@ThreadingModel Both
    Reg HKLM\SOFTWARE\Classes\CLSID\{2C964540-F22E-5AC5-FABA-65B44C88E125}\xmlparse@classid 4107.11647.12889
    Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\AuxUserType\2
    Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\AuxUserType\2@ Media Clip
    Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\DataFormats\DefaultSet
    Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\DataFormats\DefaultSet@ MPlayer
    Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\DataFormats\GetSet
    Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\DataFormats\GetSet\0
    Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\DataFormats\GetSet\0@ Embed Source,1,8,1
    Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\DataFormats\GetSet\1
    Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\DataFormats\GetSet\1@ 3,1,32,1
    Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\DataFormats\GetSet\2
    Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\DataFormats\GetSet\2@ 8,1,1,1
    Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\DefaultIcon@ mplay32.exe,1
    Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\InprocHandler32@ ole32.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\Insertable@
    Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\LocalServer@ mplay32.exe
    Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\LocalServer32@ mplay32.exe
    Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\MiscStatus@ 0
    Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\ProgID@ MPlayer
    Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\verb\0
    Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\verb\0@ &Play,0,3
    Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\verb\1
    Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\verb\1@ &Edit,0,2
    Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\verb\2
    Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\verb\2@ &Open,0,2
    Reg HKLM\SOFTWARE\Classes\CLSID\{44C77CC3-DCA2-276F-7380-2B53C8A40B8A}\InprocServer32@ C:\Program Files\Roxio\Roxio MyDVD DE\VideoCore 9\sonicmcdsdv.ax
    Reg HKLM\SOFTWARE\Classes\CLSID\{44C77CC3-DCA2-276F-7380-2B53C8A40B8A}\InprocServer32@InprocServer32 J$Dqm!w@u8}RxYo+r2zyDVDBuilder>1C!E9NrB.9iy@yTjW`Fo?
    Reg HKLM\SOFTWARE\Classes\CLSID\{44C77CC3-DCA2-276F-7380-2B53C8A40B8A}\InprocServer32@ThreadingModel Both
    Reg HKLM\SOFTWARE\Classes\CLSID\{5385DE0E-A1E8-AFC7-5A28-4AC47358C6AC}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
    Reg HKLM\SOFTWARE\Classes\CLSID\{5385DE0E-A1E8-AFC7-5A28-4AC47358C6AC}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
    Reg HKLM\SOFTWARE\Classes\CLSID\{5385DE0E-A1E8-AFC7-5A28-4AC47358C6AC}\InprocServer32@ c:\Program Files\RealArcade\RAComponents.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{5385DE0E-A1E8-AFC7-5A28-4AC47358C6AC}\InprocServer32@ThreadingModel both
    Reg HKLM\SOFTWARE\Classes\CLSID\{5385DE0E-A1E8-AFC7-5A28-4AC47358C6AC}\ProgID@ RAComponents.RALocalizedString.1
    Reg HKLM\SOFTWARE\Classes\CLSID\{5385DE0E-A1E8-AFC7-5A28-4AC47358C6AC}\TypeLib@ {C9BCE66F-FB3A-4985-9A96-DEDED07CF78D}
    Reg HKLM\SOFTWARE\Classes\CLSID\{5385DE0E-A1E8-AFC7-5A28-4AC47358C6AC}\VersionIndependentProgID@ RAComponents.RALocalizedString
    Reg HKLM\SOFTWARE\Classes\CLSID\{5FA45BED-077A-9079-9181-7DC47626297F}\InProcServer32@ shell32.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{5FA45BED-077A-9079-9181-7DC47626297F}\InProcServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{5FA45BED-077A-9079-9181-7DC47626297F}\shellex\ExtShellFolderViews
    Reg HKLM\SOFTWARE\Classes\CLSID\{5FA45BED-077A-9079-9181-7DC47626297F}\shellex\ExtShellFolderViews\{5984FFE0-28D4-11CF-AE66-08002B2E1262}
    Reg HKLM\SOFTWARE\Classes\CLSID\{5FA45BED-077A-9079-9181-7DC47626297F}\shellex\ExtShellFolderViews\{5984FFE0-28D4-11CF-AE66-08002B2E1262}@PersistMoniker file://%userappdata%\Microsoft\Internet Explorer\Desktop.htt
    Reg HKLM\SOFTWARE\Classes\CLSID\{64F11DA5-EE83-95FF-0379-7EBCB11ECFC6}\InprocServer@ avifile.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{64F11DA5-EE83-95FF-0379-7EBCB11ECFC6}\InprocServer32@ avifil32.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{64F11DA5-EE83-95FF-0379-7EBCB11ECFC6}\InprocServer32@ThreadingModel Both
    Reg HKLM\SOFTWARE\Classes\CLSID\{735DD9C0-EDAC-6F43-8FCE-B11199EFB166}\LocalServer32@ C:\PROGRA~1\Roxio\ROXIOM~1\INSTAL~1\Driver\1050\INTEL3~1\IDriverT.exe
    Reg HKLM\SOFTWARE\Classes\CLSID\{735DD9C0-EDAC-6F43-8FCE-B11199EFB166}\ProgID@ IDriverT.RotService.1
    Reg HKLM\SOFTWARE\Classes\CLSID\{735DD9C0-EDAC-6F43-8FCE-B11199EFB166}\TypeLib@ {7EC41441-2247-4DEC-BBFB-9E798627A17B}
    Reg HKLM\SOFTWARE\Classes\CLSID\{735DD9C0-EDAC-6F43-8FCE-B11199EFB166}\VersionIndependentProgID@ IDriverT.RotService
    Reg HKLM\SOFTWARE\Classes\CLSID\{74CDC428-E84E-282E-D272-21B4E2E1645E}\InprocServer@ ole2disp.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{74CDC428-E84E-282E-D272-21B4E2E1645E}\InprocServer32@ oleaut32.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{74CDC428-E84E-282E-D272-21B4E2E1645E}\InprocServer32@ThreadingModel Both
    Reg HKLM\SOFTWARE\Classes\CLSID\{74CDC428-E84E-282E-D272-21B4E2E1645E}\InprocServer32@InprocServer32 J$Dqm!w@u8}RxYo+r2zyMandatory>M5KDYSUnf(HA*L[xeX)y?
    Reg HKLM\SOFTWARE\Classes\CLSID\{7F15A505-F648-4D12-3521-E955BD5A5D8B}\InprocServer32@ C:\Program Files\Roxio\Roxio MyDVD DE\VideoCore 9\RMFMediaObjects.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{7F15A505-F648-4D12-3521-E955BD5A5D8B}\InprocServer32@ThreadingModel Both
    Reg HKLM\SOFTWARE\Classes\CLSID\{7F15A505-F648-4D12-3521-E955BD5A5D8B}\ProgID@ RMFMediaObjects3.VCGFrameGrabber9.1
    Reg HKLM\SOFTWARE\Classes\CLSID\{7F15A505-F648-4D12-3521-E955BD5A5D8B}\TypeLib@ {E5DAF394-09A5-4879-ABC0-2A3E92A7CBF1}
    Reg HKLM\SOFTWARE\Classes\CLSID\{7F15A505-F648-4D12-3521-E955BD5A5D8B}\VersionIndependentProgID@ RMFMediaObjects3.VCGFrameGrabber9
    Reg HKLM\SOFTWARE\Classes\CLSID\{95444DCD-256E-7BCA-1176-39E0E2F16C29}\InprocServer32@ C:\PROGRA~1\NETMEE~1\rrcm.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{95444DCD-256E-7BCA-1176-39E0E2F16C29}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{95444DCD-256E-7BCA-1176-39E0E2F16C29}\ProgID@ RTP.RTP.1
    Reg HKLM\SOFTWARE\Classes\CLSID\{95444DCD-256E-7BCA-1176-39E0E2F16C29}\VersionIndependentProgID@ RTP.RTP
    Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\Implemented Categories\{60A8075E-1422-B512-3767-A488F5C2A32C}
    Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\Implemented Categories\{611BF4E5-A0AA-3ADF-9B9D-5298A6A5BD05}
    Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\Implemented Categories\{622E5117-EFA1-1C70-66E1-1FF740D253FB}
    Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\Implemented Categories\{63FB4621-00E3-3127-D4B3-0F2BDEF38813}
    Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\Implemented Categories\{64A91B17-A059-F980-B4B6-C094CFB288BA}
    Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\Implemented Categories\{654F2EB9-27D5-A54B-DB01-EBBA951840A3}
    Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\Implemented Categories\{663078EC-1F0E-600E-01CD-912DD4FE5BB0}
    Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\Implemented Categories\{6751DF04-A4C0-B296-90E9-2FAE8C85E97E}
    Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\Implemented Categories\{6974B180-0477-EABB-461E-0D5F20BA0F51}
    Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\InprocServer32@RuntimeVersion v2.0.50727
    Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\InprocServer32@Assembly AspNetMMCExt, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
    Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\InprocServer32@Class Microsoft.Aspnet.Snapin.AspNetManagementUtility
    Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\InprocServer32@ThreadingModel Both
    Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\InprocServer32@ mscoree.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\InprocServer32\2.0.0.0
    Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\InprocServer32\2.0.0.0@RuntimeVersion v2.0.50727
    Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\InprocServer32\2.0.0.0@Assembly AspNetMMCExt, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
    Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\InprocServer32\2.0.0.0@Class Microsoft.Aspnet.Snapin.AspNetManagementUtility
    Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\ProgId@ Microsoft.Aspnet.Snapin.AspNetManagementUtility.2
    Reg HKLM\SOFTWARE\Classes\CLSID\{B8F88168-4D43-0124-45EC-B04D34317605}\InprocServer32@ C:\WINDOWS\system32\scrobj.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{B8F88168-4D43-0124-45EC-B04D34317605}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{B8F88168-4D43-0124-45EC-B04D34317605}\ProgID@ ScriptletHandler.ASP
    Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\.aif
    Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\.aifc
    Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\.aiff
    Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\.mov
    Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\.qt
    Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\.ra
    Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\.ram
    Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\.rm
    Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\.rmm
    Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\MIME
    Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\MIME\audio/aiff
    Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\MIME\audio/x-aiff
    Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\MIME\audio/x-pn-realaudio
    Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\MIME\video/quicktime
    Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\InprocServer32@ C:\WINDOWS\system32\Msdxm6.ocx
    Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\MiscStatus@ 0
    Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\MiscStatus\1
    Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\MiscStatus\1@ 131473
    Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\ProgID@ AMOVIE.ActiveMovieControl.2
    Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\ToolboxBitmap32@ C:\WINDOWS\system32\Msdxm6.ocx, 1
    Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\TypeLib@ {05589fa0-c356-11ce-bf01-00aa0055595a}
    Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\Version@ 2.0
    Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\VersionIndependentProgID@ AMOVIE.ActiveMovieControl
    Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}
    Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\InprocServer32@ mscoree.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\InprocServer32@ThreadingModel Both
    Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\InprocServer32@Class RecordingObjects.RecordingCompletedEventLogEntry
    Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\InprocServer32@Assembly ehRecObj, Version=6.0.3000.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35
    Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\InprocServer32@RuntimeVersion v1.1.4322
    Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\InprocServer32@CodeBase file:///C:/WINDOWS/eHome/ehRecObj.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\InprocServer32\6.0.3000.0
    Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\InprocServer32\6.0.3000.0@Class RecordingObjects.RecordingCompletedEventLogEntry
    Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\InprocServer32\6.0.3000.0@Assembly ehRecObj, Version=6.0.3000.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35
    Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\InprocServer32\6.0.3000.0@RuntimeVersion v1.1.4322
    Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\InprocServer32\6.0.3000.0@CodeBase file:///C:/WINDOWS/eHome/ehRecObj.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\ProgId@ RecordingObjects.RecordingCompletedEventLogEntry
    Reg HKLM\SOFTWARE\Classes\CLSID\{EFAF8B52-112F-89D1-B35D-4F17650DEAB6}\InprocServer32@ C:\WINDOWS\system32\quartz.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{EFAF8B52-112F-89D1-B35D-4F17650DEAB6}\InprocServer32@ThreadingModel Both
    Reg HKLM\SOFTWARE\Classes\CLSID\{FB0FD391-A1B5-40AB-4BE2-ECF7544E0DD7}\Implemented Categories\{320092EB-E50F-57BE-A0AB-CE07175496A7}
    Reg HKLM\SOFTWARE\Classes\CLSID\{FB0FD391-A1B5-40AB-4BE2-ECF7544E0DD7}\Implemented Categories\{335E72A0-8BF3-7B9C-F3C0-EA43C7629793}
    Reg HKLM\SOFTWARE\Classes\CLSID\{FB0FD391-A1B5-40AB-4BE2-ECF7544E0DD7}\Implemented Categories\{349CF325-DE89-0627-FF71-904851A913A1}
    Reg HKLM\SOFTWARE\Classes\CLSID\{FB0FD391-A1B5-40AB-4BE2-ECF7544E0DD7}\Implemented Categories\{3594C6AD-F011-9DE5-00DC-0E434A40BD32}
    Reg HKLM\SOFTWARE\Classes\CLSID\{FB0FD391-A1B5-40AB-4BE2-ECF7544E0DD7}\Implemented Categories\{36640083-5D89-0425-38C0-110541F1BC9A}
    Reg HKLM\SOFTWARE\Classes\CLSID\{FB0FD391-A1B5-40AB-4BE2-ECF7544E0DD7}\Implemented Categories\{376B75CA-E248-5974-5D50-0545151BBFC4}
    Reg HKLM\SOFTWARE\Classes\CLSID\{FB0FD391-A1B5-40AB-4BE2-ECF7544E0DD7}\InprocServer32@ C:\WINDOWS\system32\wmpsrcwp.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{FB0FD391-A1B5-40AB-4BE2-ECF7544E0DD7}\InprocServer32@ThreadingModel Both

    ---- Files - GMER 1.0.15 ----

    ADS C:\Program Files\Retro64 Games\mystery_stories:_berlin_nights.exe 70049792 bytes executable
    ADS C:\Program Files\Retro64 Games\mystery_stories:_berlin_nights.exe 0 bytes executable
    ADS C:\Program Files\Retro64 Games\mystery_stories:_berlin_nights.exe 0 bytes executable
    File C:\WINDOWS\system32\drivers\pciide.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----


    Combofix:

    ComboFix 11-03-22.04 - J 03/22/2011 20:46:42.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.697 [GMT -5:00]
    Running from: c:\documents and settings\J\My Documents\Downloads\jComboFix.exe
    AV: AVG Anti-Virus Free Edition 2011 *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\J\Application Data\PriceGong
    c:\documents and settings\J\Application Data\PriceGong\Data\1.xml
    c:\documents and settings\J\Application Data\PriceGong\Data\a.xml
    c:\documents and settings\J\Application Data\PriceGong\Data\b.xml
    c:\documents and settings\J\Application Data\PriceGong\Data\c.xml
    c:\documents and settings\J\Application Data\PriceGong\Data\d.xml
    c:\documents and settings\J\Application Data\PriceGong\Data\e.xml
    c:\documents and settings\J\Application Data\PriceGong\Data\f.xml
    c:\documents and settings\J\Application Data\PriceGong\Data\g.xml
    c:\documents and settings\J\Application Data\PriceGong\Data\h.xml
    c:\documents and settings\J\Application Data\PriceGong\Data\i.xml
    c:\documents and settings\J\Application Data\PriceGong\Data\J.xml
    c:\documents and settings\J\Application Data\PriceGong\Data\k.xml
    c:\documents and settings\J\Application Data\PriceGong\Data\l.xml
    c:\documents and settings\J\Application Data\PriceGong\Data\m.xml
    c:\documents and settings\J\Application Data\PriceGong\Data\mru.xml
    c:\documents and settings\J\Application Data\PriceGong\Data\n.xml
    c:\documents and settings\J\Application Data\PriceGong\Data\o.xml
    c:\documents and settings\J\Application Data\PriceGong\Data\p.xml
    c:\documents and settings\J\Application Data\PriceGong\Data\q.xml
    c:\documents and settings\J\Application Data\PriceGong\Data\r.xml
    c:\documents and settings\J\Application Data\PriceGong\Data\s.xml
    c:\documents and settings\J\Application Data\PriceGong\Data\t.xml
    c:\documents and settings\J\Application Data\PriceGong\Data\u.xml
    c:\documents and settings\J\Application Data\PriceGong\Data\v.xml
    c:\documents and settings\J\Application Data\PriceGong\Data\w.xml
    c:\documents and settings\J\Application Data\PriceGong\Data\x.xml
    c:\documents and settings\J\Application Data\PriceGong\Data\y.xml
    c:\documents and settings\J\Application Data\PriceGong\Data\z.xml
    c:\documents and settings\JoAnne\Application Data\PriceGong
    c:\documents and settings\JoAnne\Application Data\PriceGong\Data\1.xml
    c:\documents and settings\JoAnne\Application Data\PriceGong\Data\a.xml
    c:\documents and settings\JoAnne\Application Data\PriceGong\Data\b.xml
    c:\documents and settings\JoAnne\Application Data\PriceGong\Data\c.xml
    c:\documents and settings\JoAnne\Application Data\PriceGong\Data\d.xml
    c:\documents and settings\JoAnne\Application Data\PriceGong\Data\e.xml
    c:\documents and settings\JoAnne\Application Data\PriceGong\Data\f.xml
    c:\documents and settings\JoAnne\Application Data\PriceGong\Data\g.xml
    c:\documents and settings\JoAnne\Application Data\PriceGong\Data\h.xml
    c:\documents and settings\JoAnne\Application Data\PriceGong\Data\i.xml
    c:\documents and settings\JoAnne\Application Data\PriceGong\Data\J.xml
    c:\documents and settings\JoAnne\Application Data\PriceGong\Data\k.xml
    c:\documents and settings\JoAnne\Application Data\PriceGong\Data\l.xml
    c:\documents and settings\JoAnne\Application Data\PriceGong\Data\m.xml
    c:\documents and settings\JoAnne\Application Data\PriceGong\Data\mru.xml
    c:\documents and settings\JoAnne\Application Data\PriceGong\Data\n.xml
    c:\documents and settings\JoAnne\Application Data\PriceGong\Data\o.xml
    c:\documents and settings\JoAnne\Application Data\PriceGong\Data\p.xml
    c:\documents and settings\JoAnne\Application Data\PriceGong\Data\q.xml
    c:\documents and settings\JoAnne\Application Data\PriceGong\Data\r.xml
    c:\documents and settings\JoAnne\Application Data\PriceGong\Data\s.xml
    c:\documents and settings\JoAnne\Application Data\PriceGong\Data\t.xml
    c:\documents and settings\JoAnne\Application Data\PriceGong\Data\u.xml
    c:\documents and settings\JoAnne\Application Data\PriceGong\Data\v.xml
    c:\documents and settings\JoAnne\Application Data\PriceGong\Data\w.xml
    c:\documents and settings\JoAnne\Application Data\PriceGong\Data\x.xml
    c:\documents and settings\JoAnne\Application Data\PriceGong\Data\y.xml
    c:\documents and settings\JoAnne\Application Data\PriceGong\Data\z.xml
    c:\documents and settings\JoAnne\Local Settings\Application Data\{1C3B3158-DAB3-4DA1-BCB8-2B1436074CC6}
    c:\documents and settings\JoAnne\Local Settings\Application Data\{1C3B3158-DAB3-4DA1-BCB8-2B1436074CC6}\chrome.manifest
    c:\documents and settings\JoAnne\Local Settings\Application Data\{1C3B3158-DAB3-4DA1-BCB8-2B1436074CC6}\chrome\content\_cfg.js
    c:\documents and settings\JoAnne\Local Settings\Application Data\{1C3B3158-DAB3-4DA1-BCB8-2B1436074CC6}\chrome\content\overlay.xul
    c:\documents and settings\JoAnne\Local Settings\Application Data\{1C3B3158-DAB3-4DA1-BCB8-2B1436074CC6}\install.rdf
    C:\Install.exe
    c:\program files\Internet Explorer\complete.dat
    c:\program files\Internet Explorer\dmlconf.dat
    c:\program files\iWin\tbiWi1.dll
    c:\windows\system32\Data
    .
    Infected copy of c:\windows\system32\drivers\pciide.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-23 to 2011-03-23 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-22 14:08 . 2011-03-22 14:08 -------- d-----w- c:\program files\ERUNT
    2011-03-22 13:40 . 2011-03-22 13:41 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-08 19:58 . 2011-02-08 19:58 388096 ----a-r- c:\documents and settings\J\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-08-10 02:17 . 2010-08-10 02:17 464 ----a-w- c:\program files\0809201021175065.bat
    2010-04-15 02:20 . 2010-04-15 02:20 458 ----a-w- c:\program files\0414201021202447.bat
    2010-04-15 02:19 . 2010-04-15 02:19 453 ----a-w- c:\program files\0414201021192699.bat
    2010-04-03 20:36 . 2010-04-03 20:36 469 ----a-w- c:\program files\0403201015360422.bat
    2010-03-18 12:42 . 2010-03-18 12:42 455 ----a-w- c:\program files\031820107425510.bat
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
    .
    c:\documents and settings\JoAnne\Start Menu\Programs\Startup\
    iWin Desktop Alerts.lnk - c:\documents and settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe [N/A]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
    backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^JoAnne^Start Menu^Programs^Startup^iWin Desktop Alerts.lnk]
    path=c:\documents and settings\JoAnne\Start Menu\Programs\Startup\iWin Desktop Alerts.lnk
    backup=c:\windows\pss\iWin Desktop Alerts.lnkStartup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^JoAnne^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
    path=c:\documents and settings\JoAnne\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
    backup=c:\windows\pss\RollerCoaster Tycoon 3 Registration.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    c:\windows\system32\dumprep 0 -k [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
    2005-08-05 20:56 64512 ----a-w- c:\windows\ehome\ehtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBMon]
    2005-05-19 16:54 1345520 ----a-w- c:\windows\system32\CTMBHA.DLL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
    2006-11-05 16:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
    2004-12-23 00:40 24576 ----a-w- c:\windows\MIDIDEF.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-01-11 21:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
    2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "gusvc"=3 (0x3)
    "gupdate1c9b6296af48476"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\dplaysvr.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    .
    R2 X4HS32Ex;X4HS32Ex;c:\program files\Free Ride Games\X4HS32Ex.sys [3/15/2010 11:09 AM 53280]
    R2 X4HSEx;X4HSEx;c:\program files\Free Ride Games\X4HSEx.sys [4/16/2010 6:53 PM 56352]
    S2 gupdate1c9b6296af48476;Google Update Service (gupdate1c9b6296af48476);c:\program files\Google\Update\GoogleUpdate.exe [4/5/2009 3:02 PM 133104]
    S4 SeekeenSrch Service;SeekeenSrch Service;"c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe" "c:\program files\SeekeenSrch\seekeen.dll" Service --> c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe [?]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-04-05 20:02]
    .
    2011-02-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-04-05 20:02]
    .
    2011-02-01 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
    - c:\program files\Ask.com\UpdateTask.exe [2010-05-26 20:23]
    .
    2011-03-23 c:\windows\Tasks\User_Feed_Synchronization-{D019EACA-BB13-46C6-A08A-1B23C328FB16}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    TCP: {765C18A5-C191-4DBC-8A3D-878975069E64} = 192.168.1.254
    FF - ProfilePath - c:\documents and settings\J\Application Data\Mozilla\Firefox\Profiles\645nbkj0.default\
    FF - Ext: RealArcade V3.1 Plugin: npmozax31@real.com - c:\program files\Mozilla Firefox\extensions\npmozax31@real.com
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - Ext: Seekeen: {DB390D2E-0FB4-413F-B039-AE342D1D40BA} - c:\program files\Mozilla Firefox\extensions\{DB390D2E-0FB4-413F-B039-AE342D1D40BA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{399C60D2-38B1-4E25-B9E7-6498C1BC2DCD} - (no file)
    Toolbar-Locked - (no file)
    WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - (no file)
    ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\SUPERAntiSpyware\SASSEH.DLL
    MSConfigStartUp-013f74406cf06ba257e3b7572429f7a5 - c:\docume~1\JoAnne\Desktop\SKIP-B~1.EXE
    MSConfigStartUp-Creative Detector - c:\program files\Creative\MediaSource\Detector\CTDetect.exe
    MSConfigStartUp-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
    MSConfigStartUp-Exetender - c:\program files\Free Ride Games\GPlayer.exe
    MSConfigStartUp-Gzizefameteqa - c:\windows\enakagupiseriyo.dll
    MSConfigStartUp-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe
    MSConfigStartUp-Internet Antivirus Pro - c:\program files\Internet Antivirus Pro\IAPro.exe
    MSConfigStartUp-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
    MSConfigStartUp-ISUSScheduler - c:\program files\Common Files\InstallShield\UpdateService\issch.exe
    MSConfigStartUp-Jmowujagedeyoxi - c:\windows\mcbMBU.dll
    MSConfigStartUp-Microsoft Windows logon process - c:\documents and settings\JoAnne\Application Data\Microsoft\Windows\winlogon.exe
    MSConfigStartUp-rillixcs - c:\docume~1\JoAnne\LOCALS~1\Temp\jvsxmkoxy\bajctmiyhsn.exe
    MSConfigStartUp-SearchEngineProtection - c:\program files\Gamesbar\SearchEngineProtection.exe
    MSConfigStartUp-VoiceCenter - c:\program files\Creative\VoiceCenter\AndreaVC.exe
    MSConfigStartUp-Weather - c:\program files\AWS\WeatherBug\Weather.exe
    MSConfigStartUp-{143B3226-02CE-A020-A3BE-3108B7F2A074} - c:\documents and settings\JoAnne\Application Data\Epfaez\kydy.exe
    MSConfigStartUp-{BC1335DB-6FF8-65FB-680A-E73CB69796AC} - c:\documents and settings\JoAnne\Application Data\Usen\negi.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-22 20:53
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Completion time: 2011-03-22 20:55:00
    ComboFix-quarantined-files.txt 2011-03-23 01:54
    .
    Pre-Run: 71,095,001,088 bytes free
    Post-Run: 71,253,016,576 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - F2EF9C629EF00870D49E484D1084574F


    I think this may have fixed it. Please let me know if there's anything else.

    Thanks!!

  4. #4
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Hi iamsam,


    A good part of the main infection has been removed, although I suspect there's still more in there. Let me tell you that unfortunately your computer appears to have been infected by the TDL3 backdoor infection. These programs have the ability to steal passwords and other information from your system. If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

    • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks,
      paypal, ebay, etc. You should also change the passwords for any other site you use.
    • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or
      credit card information may have been stolen and ask what steps to take with regard to your account.
    • Consider what other private information could possibly have been taken from your computer and take appropriate steps


    This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the
    system partition and reinstalling Windows as this is the only 100% sure answer.You should not be following fixes in another threads as
    those fixes are specifically for those computers.

    Please read these for more information:

    How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

    When Should I Format, How Should I Reinstall?


    Should you have any questions, please feel free to ask. Please let me know what you have decided to do in your next post. If you decide you want to try and clean your PC then please continue with the following instructions:


    Step 1 | I notice you have games from Free Ride Games installed in your machine. There are some comments from the WOT (Web of trust Community) that relate this developer with certain infections. See here:


    http://www.mywot.com/es/scorecard/freeridegames.com


    Have you installed these games? Let's upload some of their files to check. Please go to the following site to scan a file: Virus Total

    • Click on Browse, and upload the following files for analysis:

      • c:\program files\Free Ride Games\X4HS32Ex.sys
        c:\program files\Free Ride Games\X4HSEx.sys

    • Then click Submit. Allow the files to be scanned, and then please copy and paste the results here for me to see.
    • If it says already scanned -- click "reanalyze now"
    • Please post the results in your next reply.



    Step 2 | Close any open browsers. Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

    • Please open Notepad.
    • In Notepad, Click "Format" and be certain that Word Wrap is not checked.
    • Copy and paste all the all of the text in the code box below into the Notepad, (including the URL). Do Not copy the word CODE:


    Code:
    http://forums.spybot.info/showthread.php?p=398466
    
    Collect::
    c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe
    c:\program files\SeekeenSrch\seekeen.dll
    
    Driver:
    SeekeenSrch Service
    
    DDS::
    FF - Ext: Seekeen: {DB390D2E-0FB4-413F-B039-AE342D1D40BA} - c:\program files\Mozilla Firefox\extensions\{DB390D2E-0FB4-413F-B039-AE342D1D40BA}
    • In the notepad click File, Save as..., and set the Save in to your Desktop
    • In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
    • Click save.
    • Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.
    • This will start ComboFix again.Close all browser/windows first.


    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**




    **Note: When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box.

    Please post back including the Combofix log.
    -- WTT Classroom Graduate --
    -- ASAP Member --
    -- UNITE Trained Eliminator --

  5. #5
    Junior Member
    Join Date
    Mar 2011
    Posts
    10

    Default Logs as requested

    I would like to see if we can clean this up. I'm doing this for a relative and I'd like to avoid an OS install if possible.

    VirusTotal logs: (I'll probably uninstall the Free Ride games once everything is cleaned up)

    user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
    File name:
    X4HS32Ex.sys
    Submission date:
    2011-03-23 14:01:22 (UTC)
    Current status:
    queued (#1) queued (#1) analysing finished
    Result:
    0/ 41 (0.0%)

    VT Community

    not reviewed
    Safety score: -
    Compact
    Print results
    Antivirus Version Last Update Result
    AhnLab-V3 2011.03.23.01 2011.03.23 -
    AntiVir 7.11.5.44 2011.03.23 -
    Antiy-AVL 2.0.3.7 2011.03.22 -
    Avast 4.8.1351.0 2011.03.23 -
    Avast5 5.0.677.0 2011.03.23 -
    AVG 10.0.0.1190 2011.03.23 -
    BitDefender 7.2 2011.03.23 -
    CAT-QuickHeal 11.00 2011.03.23 -
    ClamAV 0.96.4.0 2011.03.23 -
    Commtouch 5.2.11.5 2011.03.22 -
    Comodo 8075 2011.03.23 -
    DrWeb 5.0.2.03300 2011.03.23 -
    eSafe 7.0.17.0 2011.03.22 -
    eTrust-Vet 36.1.8231 2011.03.23 -
    F-Prot 4.6.2.117 2011.03.22 -
    F-Secure 9.0.16440.0 2011.03.23 -
    Fortinet 4.2.254.0 2011.03.23 -
    GData 21 2011.03.23 -
    Ikarus T3.1.1.97.0 2011.03.23 -
    Jiangmin 13.0.900 2011.03.23 -
    K7AntiVirus 9.94.4188 2011.03.23 -
    McAfee 5.400.0.1158 2011.03.23 -
    McAfee-GW-Edition 2010.1C 2011.03.23 -
    Microsoft 1.6603 2011.03.23 -
    NOD32 5977 2011.03.23 -
    Norman 6.07.03 2011.03.22 -
    nProtect 2011-02-10.01 2011.02.15 -
    Panda 10.0.3.5 2011.03.23 -
    PCTools 7.0.3.5 2011.03.21 -
    Prevx 3.0 2011.03.23 -
    Rising 23.50.01.06 2011.03.22 -
    Sophos 4.63.0 2011.03.23 -
    SUPERAntiSpyware 4.40.0.1006 2011.03.23 -
    Symantec 20101.3.0.103 2011.03.23 -
    TheHacker 6.7.0.1.155 2011.03.23 -
    TrendMicro 9.200.0.1012 2011.03.23 -
    TrendMicro-HouseCall 9.200.0.1012 2011.03.23 -
    VBA32 3.12.14.3 2011.03.23 -
    VIPRE 8792 2011.03.23 -
    ViRobot 2011.3.23.4372 2011.03.23 -
    VirusBuster 13.6.265.0 2011.03.23 -


    0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
    File name:
    X4HSEx.sys
    Submission date:
    2011-03-23 14:02:42 (UTC)
    Current status:
    queued queued (#2) analysing finished
    Result:
    0/ 43 (0.0%)

    VT Community

    not reviewed
    Safety score: -
    Compact
    Print results
    Antivirus Version Last Update Result
    AhnLab-V3 2011.03.23.01 2011.03.23 -
    AntiVir 7.11.5.44 2011.03.23 -
    Antiy-AVL 2.0.3.7 2011.03.22 -
    Avast 4.8.1351.0 2011.03.23 -
    Avast5 5.0.677.0 2011.03.23 -
    AVG 10.0.0.1190 2011.03.23 -
    BitDefender 7.2 2011.03.23 -
    CAT-QuickHeal 11.00 2011.03.23 -
    ClamAV 0.96.4.0 2011.03.23 -
    Commtouch 5.2.11.5 2011.03.22 -
    Comodo 8075 2011.03.23 -
    DrWeb 5.0.2.03300 2011.03.23 -
    Emsisoft 5.1.0.4 2011.03.23 -
    eSafe 7.0.17.0 2011.03.22 -
    eTrust-Vet 36.1.8231 2011.03.23 -
    F-Prot 4.6.2.117 2011.03.22 -
    F-Secure 9.0.16440.0 2011.03.23 -
    Fortinet 4.2.254.0 2011.03.23 -
    GData 21 2011.03.23 -
    Ikarus T3.1.1.97.0 2011.03.23 -
    Jiangmin 13.0.900 2011.03.23 -
    K7AntiVirus 9.94.4188 2011.03.23 -
    Kaspersky 7.0.0.125 2011.03.23 -
    McAfee 5.400.0.1158 2011.03.23 -
    McAfee-GW-Edition 2010.1C 2011.03.23 -
    Microsoft 1.6603 2011.03.23 -
    NOD32 5977 2011.03.23 -
    Norman 6.07.03 2011.03.22 -
    nProtect 2011-02-10.01 2011.02.15 -
    Panda 10.0.3.5 2011.03.23 -
    PCTools 7.0.3.5 2011.03.21 -
    Prevx 3.0 2011.03.23 -
    Rising 23.50.01.06 2011.03.22 -
    Sophos 4.63.0 2011.03.23 -
    SUPERAntiSpyware 4.40.0.1006 2011.03.23 -
    Symantec 20101.3.0.103 2011.03.23 -
    TheHacker 6.7.0.1.155 2011.03.23 -
    TrendMicro 9.200.0.1012 2011.03.23 -
    TrendMicro-HouseCall 9.200.0.1012 2011.03.23 -
    VBA32 3.12.14.3 2011.03.23 -
    VIPRE 8792 2011.03.23 -
    ViRobot 2011.3.23.4372 2011.03.23 -
    VirusBuster 13.6.265.0 2011.03.23 -

    ComboFix Log:

    ComboFix 11-03-22.09 - J 03/23/2011 9:31.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.643 [GMT -5:00]
    Running from: c:\documents and settings\J\My Documents\Downloads\ComboFix.exe
    Command switches used :: c:\documents and settings\J\My Documents\Downloads\CFScript.txt
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-23 to 2011-03-23 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-23 02:30 . 2011-03-23 02:30 -------- d-----w- c:\documents and settings\J\Local Settings\Application Data\AVG Security Toolbar
    2011-03-23 02:04 . 2011-03-23 14:21 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
    2011-03-22 13:40 . 2011-03-22 13:41 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-04 22:48 . 2004-08-10 11:00 456192 ----a-w- c:\windows\system32\encdec.dll
    2011-02-04 22:48 . 2004-08-10 11:00 291840 ----a-w- c:\windows\system32\sbe.dll
    2011-02-02 07:58 . 2008-10-16 04:48 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57 . 2008-10-16 04:48 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44 . 2004-08-10 11:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09 . 2004-08-10 11:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2004-08-10 11:00 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-08-10 02:17 . 2010-08-10 02:17 464 ----a-w- c:\program files\0809201021175065.bat
    2010-04-15 02:20 . 2010-04-15 02:20 458 ----a-w- c:\program files\0414201021202447.bat
    2010-04-15 02:19 . 2010-04-15 02:19 453 ----a-w- c:\program files\0414201021192699.bat
    2010-04-03 20:36 . 2010-04-03 20:36 469 ----a-w- c:\program files\0403201015360422.bat
    2010-03-18 12:42 . 2010-03-18 12:42 455 ----a-w- c:\program files\031820107425510.bat
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-03-23_01.53.24 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-03-23 14:21 . 2011-03-23 14:21 16384 c:\windows\Temp\Perflib_Perfdata_720.dat
    - 2006-03-04 03:33 . 2010-11-06 00:26 66560 c:\windows\system32\mshtmled.dll
    + 2006-03-04 03:33 . 2010-12-20 23:59 66560 c:\windows\system32\mshtmled.dll
    + 2009-03-08 09:31 . 2010-12-20 23:59 55296 c:\windows\system32\msfeedsbs.dll
    - 2009-03-08 09:31 . 2010-11-06 00:26 55296 c:\windows\system32\msfeedsbs.dll
    - 2004-08-10 11:00 . 2010-11-06 00:26 43520 c:\windows\system32\licmgr10.dll
    + 2004-08-10 11:00 . 2010-12-20 23:59 43520 c:\windows\system32\licmgr10.dll
    + 2004-08-10 11:00 . 2010-12-20 23:59 25600 c:\windows\system32\jsproxy.dll
    - 2004-08-10 11:00 . 2010-11-06 00:26 25600 c:\windows\system32\jsproxy.dll
    - 2009-09-17 18:16 . 2010-11-06 00:26 12800 c:\windows\system32\dllcache\xpshims.dll
    + 2009-09-17 18:16 . 2010-12-20 23:59 12800 c:\windows\system32\dllcache\xpshims.dll
    - 2009-03-08 09:31 . 2010-11-06 00:26 66560 c:\windows\system32\dllcache\mshtmled.dll
    + 2009-03-08 09:31 . 2010-12-20 23:59 66560 c:\windows\system32\dllcache\mshtmled.dll
    + 2009-09-17 18:16 . 2010-12-20 23:59 55296 c:\windows\system32\dllcache\msfeedsbs.dll
    - 2009-09-17 18:16 . 2010-11-06 00:26 55296 c:\windows\system32\dllcache\msfeedsbs.dll
    + 2009-03-08 09:34 . 2010-12-20 23:59 43520 c:\windows\system32\dllcache\licmgr10.dll
    - 2009-03-08 09:34 . 2010-11-06 00:26 43520 c:\windows\system32\dllcache\licmgr10.dll
    - 2009-03-08 09:33 . 2010-11-06 00:26 25600 c:\windows\system32\dllcache\jsproxy.dll
    + 2009-03-08 09:33 . 2010-12-20 23:59 25600 c:\windows\system32\dllcache\jsproxy.dll
    - 2009-12-14 07:08 . 2009-12-14 07:08 33280 c:\windows\system32\dllcache\csrsrv.dll
    + 2009-12-14 07:08 . 2010-12-09 14:30 33280 c:\windows\system32\dllcache\csrsrv.dll
    + 2004-08-10 11:00 . 2010-12-09 14:30 33280 c:\windows\system32\csrsrv.dll
    - 2004-08-10 11:00 . 2009-12-14 07:08 33280 c:\windows\system32\csrsrv.dll
    + 2011-03-23 02:18 . 2010-11-06 00:26 12800 c:\windows\ie8updates\KB2482017-IE8\xpshims.dll
    + 2011-03-23 02:18 . 2010-11-06 00:26 66560 c:\windows\ie8updates\KB2482017-IE8\mshtmled.dll
    + 2011-03-23 02:18 . 2010-11-06 00:26 55296 c:\windows\ie8updates\KB2482017-IE8\msfeedsbs.dll
    + 2011-03-23 02:18 . 2010-11-06 00:26 43520 c:\windows\ie8updates\KB2482017-IE8\licmgr10.dll
    + 2011-03-23 02:18 . 2010-11-06 00:26 25600 c:\windows\ie8updates\KB2482017-IE8\jsproxy.dll
    - 2006-03-04 03:33 . 2010-11-06 00:26 916480 c:\windows\system32\wininet.dll
    + 2006-03-04 03:33 . 2010-12-20 23:59 916480 c:\windows\system32\wininet.dll
    - 2004-08-10 11:00 . 2008-04-14 00:12 135168 c:\windows\system32\shsvcs.dll
    + 2004-08-10 11:00 . 2009-07-27 23:17 135168 c:\windows\system32\shsvcs.dll
    - 2004-08-10 11:00 . 2010-11-06 00:26 206848 c:\windows\system32\occache.dll
    + 2004-08-10 11:00 . 2010-12-20 23:59 206848 c:\windows\system32\occache.dll
    + 2004-08-10 11:00 . 2010-12-09 15:15 718336 c:\windows\system32\ntdll.dll
    + 2006-03-04 03:33 . 2010-12-20 23:59 611840 c:\windows\system32\mstime.dll
    - 2006-03-04 03:33 . 2010-11-06 00:26 611840 c:\windows\system32\mstime.dll
    + 2009-03-08 09:32 . 2010-12-20 23:59 602112 c:\windows\system32\msfeeds.dll
    - 2009-03-08 09:32 . 2010-11-06 00:26 602112 c:\windows\system32\msfeeds.dll
    - 2004-08-10 11:00 . 2009-06-25 08:25 730112 c:\windows\system32\lsasrv.dll
    + 2004-08-10 11:00 . 2010-12-20 17:26 730112 c:\windows\system32\lsasrv.dll
    + 2004-08-10 11:00 . 2010-12-22 12:34 301568 c:\windows\system32\kerberos.dll
    - 2004-08-10 11:00 . 2009-06-25 08:25 301568 c:\windows\system32\kerberos.dll
    + 2006-03-04 03:33 . 2010-12-20 23:59 184320 c:\windows\system32\iepeers.dll
    - 2006-03-04 03:33 . 2010-11-06 00:26 184320 c:\windows\system32\iepeers.dll
    - 2004-08-10 11:00 . 2010-11-06 00:26 387584 c:\windows\system32\iedkcs32.dll
    + 2004-08-10 11:00 . 2010-12-20 23:59 387584 c:\windows\system32\iedkcs32.dll
    - 2004-08-10 11:00 . 2010-11-03 12:26 173568 c:\windows\system32\ie4uinit.exe
    + 2004-08-10 11:00 . 2010-12-20 12:55 173568 c:\windows\system32\ie4uinit.exe
    - 2008-10-15 21:43 . 2011-02-01 19:50 181832 c:\windows\system32\FNTCACHE.DAT
    + 2008-10-15 21:43 . 2011-03-23 02:28 181832 c:\windows\system32\FNTCACHE.DAT
    - 2008-08-20 05:30 . 2010-11-06 00:26 916480 c:\windows\system32\dllcache\wininet.dll
    + 2008-08-20 05:30 . 2010-12-20 23:59 916480 c:\windows\system32\dllcache\wininet.dll
    + 2009-07-27 23:17 . 2009-07-27 23:17 135168 c:\windows\system32\dllcache\shsvcs.dll
    + 2011-01-21 14:44 . 2011-01-21 14:44 439296 c:\windows\system32\dllcache\shimgvw.dll
    + 2004-08-10 11:00 . 2011-02-04 22:48 291840 c:\windows\system32\dllcache\sbe.dll
    + 2009-03-08 09:34 . 2010-12-20 23:59 206848 c:\windows\system32\dllcache\occache.dll
    - 2009-03-08 09:34 . 2010-11-06 00:26 206848 c:\windows\system32\dllcache\occache.dll
    + 2009-04-15 16:13 . 2010-12-09 15:15 718336 c:\windows\system32\dllcache\ntdll.dll
    + 2009-03-08 09:32 . 2010-12-20 23:59 611840 c:\windows\system32\dllcache\mstime.dll
    - 2009-03-08 09:32 . 2010-11-06 00:26 611840 c:\windows\system32\dllcache\mstime.dll
    - 2009-09-17 18:16 . 2010-11-06 00:26 602112 c:\windows\system32\dllcache\msfeeds.dll
    + 2009-09-17 18:16 . 2010-12-20 23:59 602112 c:\windows\system32\dllcache\msfeeds.dll
    - 2009-04-15 16:13 . 2009-06-25 08:25 730112 c:\windows\system32\dllcache\lsasrv.dll
    + 2009-04-15 16:13 . 2010-12-20 17:26 730112 c:\windows\system32\dllcache\lsasrv.dll
    + 2011-01-27 11:57 . 2011-01-27 11:57 677888 c:\windows\system32\dllcache\lhmstsc.exe
    + 2009-06-25 08:25 . 2010-12-22 12:34 301568 c:\windows\system32\dllcache\kerberos.dll
    - 2009-06-25 08:25 . 2009-06-25 08:25 301568 c:\windows\system32\dllcache\kerberos.dll
    - 2009-09-17 18:16 . 2010-11-06 00:26 247808 c:\windows\system32\dllcache\ieproxy.dll
    + 2009-09-17 18:16 . 2010-12-20 23:59 247808 c:\windows\system32\dllcache\ieproxy.dll
    + 2009-03-08 09:31 . 2010-12-20 23:59 184320 c:\windows\system32\dllcache\iepeers.dll
    - 2009-03-08 09:31 . 2010-11-06 00:26 184320 c:\windows\system32\dllcache\iepeers.dll
    + 2010-07-10 02:56 . 2010-12-20 23:59 743424 c:\windows\system32\dllcache\iedvtool.dll
    - 2010-07-10 02:56 . 2010-11-06 00:26 743424 c:\windows\system32\dllcache\iedvtool.dll
    + 2009-03-08 19:09 . 2010-12-20 23:59 387584 c:\windows\system32\dllcache\iedkcs32.dll
    - 2009-03-08 19:09 . 2010-11-06 00:26 387584 c:\windows\system32\dllcache\iedkcs32.dll
    - 2009-03-08 09:32 . 2010-11-03 12:26 173568 c:\windows\system32\dllcache\ie4uinit.exe
    + 2009-03-08 09:32 . 2010-12-20 12:55 173568 c:\windows\system32\dllcache\ie4uinit.exe
    + 2004-08-10 11:00 . 2011-02-04 22:48 456192 c:\windows\system32\dllcache\encdec.dll
    + 2010-04-20 05:30 . 2011-01-07 14:09 290048 c:\windows\system32\dllcache\atmfd.dll
    - 2010-04-20 05:30 . 2010-10-28 13:13 290048 c:\windows\system32\dllcache\atmfd.dll
    + 2011-03-23 02:18 . 2010-11-06 00:26 916480 c:\windows\ie8updates\KB2482017-IE8\wininet.dll
    + 2011-03-23 02:18 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2482017-IE8\spuninst\updspapi.dll
    + 2011-03-23 02:18 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2482017-IE8\spuninst\spuninst.exe
    + 2011-03-23 02:18 . 2010-11-06 00:26 206848 c:\windows\ie8updates\KB2482017-IE8\occache.dll
    + 2011-03-23 02:18 . 2010-11-06 00:26 611840 c:\windows\ie8updates\KB2482017-IE8\mstime.dll
    + 2011-03-23 02:18 . 2010-11-06 00:26 602112 c:\windows\ie8updates\KB2482017-IE8\msfeeds.dll
    + 2011-03-23 02:18 . 2010-11-06 00:26 247808 c:\windows\ie8updates\KB2482017-IE8\ieproxy.dll
    + 2011-03-23 02:18 . 2010-11-06 00:26 184320 c:\windows\ie8updates\KB2482017-IE8\iepeers.dll
    + 2011-03-23 02:18 . 2010-11-06 00:26 743424 c:\windows\ie8updates\KB2482017-IE8\iedvtool.dll
    + 2011-03-23 02:18 . 2010-11-06 00:26 387584 c:\windows\ie8updates\KB2482017-IE8\iedkcs32.dll
    + 2011-03-23 02:18 . 2010-11-03 12:26 173568 c:\windows\ie8updates\KB2482017-IE8\ie4uinit.exe
    + 2006-03-18 11:09 . 2010-12-20 23:59 1210880 c:\windows\system32\urlmon.dll
    - 2006-03-18 11:09 . 2010-11-06 00:26 1210880 c:\windows\system32\urlmon.dll
    + 2004-08-10 11:00 . 2011-01-21 14:44 8462336 c:\windows\system32\shell32.dll
    - 2004-08-10 11:00 . 2010-07-27 06:30 8462336 c:\windows\system32\shell32.dll
    + 2005-03-30 01:21 . 2010-12-09 13:42 2148864 c:\windows\system32\ntoskrnl.exe
    + 2005-03-30 01:01 . 2010-12-09 13:07 2027008 c:\windows\system32\ntkrnlpa.exe
    + 2006-03-23 17:32 . 2010-12-20 23:59 5961216 c:\windows\system32\mshtml.dll
    - 2009-03-08 09:32 . 2010-11-06 00:26 1991680 c:\windows\system32\iertutil.dll
    + 2009-03-08 09:32 . 2010-12-20 23:59 1991680 c:\windows\system32\iertutil.dll
    + 2008-10-17 04:11 . 2010-12-31 13:10 1854976 c:\windows\system32\dllcache\win32k.sys
    + 2008-08-20 05:30 . 2010-12-20 23:59 1210880 c:\windows\system32\dllcache\urlmon.dll
    - 2008-08-20 05:30 . 2010-11-06 00:26 1210880 c:\windows\system32\dllcache\urlmon.dll
    - 2008-06-17 19:02 . 2010-07-27 06:30 8462336 c:\windows\system32\dllcache\shell32.dll
    + 2008-06-17 19:02 . 2011-01-21 14:44 8462336 c:\windows\system32\dllcache\shell32.dll
    + 2008-10-17 04:20 . 2010-12-09 13:38 2192768 c:\windows\system32\dllcache\ntoskrnl.exe
    + 2008-10-17 04:20 . 2010-12-09 13:07 2027008 c:\windows\system32\dllcache\ntkrpamp.exe
    + 2008-10-17 04:20 . 2010-12-09 13:07 2069376 c:\windows\system32\dllcache\ntkrnlpa.exe
    + 2008-10-17 04:20 . 2010-12-09 13:42 2148864 c:\windows\system32\dllcache\ntkrnlmp.exe
    + 2008-08-20 05:30 . 2010-12-20 23:59 5961216 c:\windows\system32\dllcache\mshtml.dll
    + 2011-02-02 07:58 . 2011-02-02 07:58 2067456 c:\windows\system32\dllcache\lhmstscx.dll
    - 2009-09-17 18:16 . 2010-11-06 00:26 1991680 c:\windows\system32\dllcache\iertutil.dll
    + 2009-09-17 18:16 . 2010-12-20 23:59 1991680 c:\windows\system32\dllcache\iertutil.dll
    + 2011-03-23 02:05 . 2011-03-23 02:05 3277312 c:\windows\Installer\15fa20.msi
    + 2011-03-23 02:03 . 2011-03-23 02:03 1611776 c:\windows\Installer\15fa1c.msi
    + 2011-03-23 02:18 . 2010-11-06 00:26 1210880 c:\windows\ie8updates\KB2482017-IE8\urlmon.dll
    + 2011-03-23 02:18 . 2010-11-06 00:26 5959168 c:\windows\ie8updates\KB2482017-IE8\mshtml.dll
    + 2011-03-23 02:18 . 2010-11-06 00:26 1991680 c:\windows\ie8updates\KB2482017-IE8\iertutil.dll
    + 2008-10-17 04:20 . 2010-12-09 13:38 2192768 c:\windows\Driver Cache\i386\ntoskrnl.exe
    + 2008-10-17 04:20 . 2010-12-09 13:07 2027008 c:\windows\Driver Cache\i386\ntkrpamp.exe
    + 2008-10-17 04:20 . 2010-12-09 13:07 2069376 c:\windows\Driver Cache\i386\ntkrnlpa.exe
    + 2008-10-17 04:20 . 2010-12-09 13:42 2148864 c:\windows\Driver Cache\i386\ntkrnlmp.exe
    + 2008-10-17 13:22 . 2011-03-03 00:56 37943240 c:\windows\system32\MRT.exe
    + 2009-03-08 09:39 . 2010-12-21 10:29 11080704 c:\windows\system32\ieframe.dll
    - 2009-03-08 09:39 . 2010-11-06 00:26 11080704 c:\windows\system32\ieframe.dll
    - 2009-09-17 18:16 . 2010-11-06 00:26 11080704 c:\windows\system32\dllcache\ieframe.dll
    + 2009-09-17 18:16 . 2010-12-21 10:29 11080704 c:\windows\system32\dllcache\ieframe.dll
    + 2011-03-23 02:18 . 2010-11-06 00:26 11080704 c:\windows\ie8updates\KB2482017-IE8\ieframe.dll
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
    .
    c:\documents and settings\JoAnne\Start Menu\Programs\Startup\
    iWin Desktop Alerts.lnk - c:\documents and settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe [N/A]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
    backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^JoAnne^Start Menu^Programs^Startup^iWin Desktop Alerts.lnk]
    path=c:\documents and settings\JoAnne\Start Menu\Programs\Startup\iWin Desktop Alerts.lnk
    backup=c:\windows\pss\iWin Desktop Alerts.lnkStartup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^JoAnne^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
    path=c:\documents and settings\JoAnne\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
    backup=c:\windows\pss\RollerCoaster Tycoon 3 Registration.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    c:\windows\system32\dumprep 0 -k [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
    2005-08-05 20:56 64512 ----a-w- c:\windows\ehome\ehtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBMon]
    2005-05-19 16:54 1345520 ----a-w- c:\windows\system32\CTMBHA.DLL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
    2006-11-05 16:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
    2004-12-23 00:40 24576 ----a-w- c:\windows\MIDIDEF.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-01-11 21:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
    2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "gusvc"=3 (0x3)
    "gupdate1c9b6296af48476"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\dplaysvr.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    .
    R2 X4HS32Ex;X4HS32Ex;c:\program files\Free Ride Games\X4HS32Ex.sys [3/15/2010 11:09 AM 53280]
    R2 X4HSEx;X4HSEx;c:\program files\Free Ride Games\X4HSEx.sys [4/16/2010 6:53 PM 56352]
    S2 gupdate1c9b6296af48476;Google Update Service (gupdate1c9b6296af48476);c:\program files\Google\Update\GoogleUpdate.exe [4/5/2009 3:02 PM 133104]
    S4 SeekeenSrch Service;SeekeenSrch Service;"c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe" "c:\program files\SeekeenSrch\seekeen.dll" Service --> c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe [?]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-04-05 20:02]
    .
    2011-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-04-05 20:02]
    .
    2011-03-23 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
    - c:\program files\Ask.com\UpdateTask.exe [2010-05-26 20:23]
    .
    2011-03-23 c:\windows\Tasks\User_Feed_Synchronization-{D019EACA-BB13-46C6-A08A-1B23C328FB16}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    TCP: {765C18A5-C191-4DBC-8A3D-878975069E64} = 192.168.1.254
    FF - ProfilePath - c:\documents and settings\J\Application Data\Mozilla\Firefox\Profiles\645nbkj0.default\
    FF - Ext: RealArcade V3.1 Plugin: npmozax31@real.com - c:\program files\Mozilla Firefox\extensions\npmozax31@real.com
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - Ext: Seekeen: {DB390D2E-0FB4-413F-B039-AE342D1D40BA} - c:\program files\Mozilla Firefox\extensions\{DB390D2E-0FB4-413F-B039-AE342D1D40BA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{399C60D2-38B1-4E25-B9E7-6498C1BC2DCD} - (no file)
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-23 09:36
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(680)
    c:\windows\system32\l3codeca.acm
    .
    - - - - - - - > 'explorer.exe'(3272)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    Completion time: 2011-03-23 09:37:52
    ComboFix-quarantined-files.txt 2011-03-23 14:37
    ComboFix2.txt 2011-03-23 01:55
    .
    Pre-Run: 73,506,562,048 bytes free
    Post-Run: 73,492,258,816 bytes free
    .
    - - End Of File - - 72D84D105BE313EA25CC28B8CA708CBA

  6. #6
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Hi sam, thanks for the logs.


    Apparently the ComboFix script didn't work. Have you uninstalled AVG? Please download the attached CFscript.txt file at the bottom of my post and save it to your desktop.

    • Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.
    • This will start ComboFix again.Close all browser/windows first.


    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**




    **Note: When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box.


    Please advise if the upload was successful and post back including the Combofix log.
    -- WTT Classroom Graduate --
    -- ASAP Member --
    -- UNITE Trained Eliminator --

  7. #7
    Junior Member
    Join Date
    Mar 2011
    Posts
    10

    Default Combofix

    I think I did something wrong the first time through.

    Log:

    ComboFix 11-03-23.01 - J 03/23/2011 13:34:46.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.594 [GMT -5:00]
    Running from: c:\documents and settings\J\My Documents\Downloads\ComboFix.exe
    Command switches used :: c:\documents and settings\J\My Documents\Downloads\CFscript.txt
    .
    FILE ::
    "c:\program files\031820107425510.bat"
    "c:\program files\0403201015360422.bat"
    "c:\program files\0414201021192699.bat"
    "c:\program files\0414201021202447.bat"
    .
    file zipped: c:\program files\0809201021175065.bat
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\031820107425510.bat
    c:\program files\0403201015360422.bat
    c:\program files\0414201021192699.bat
    c:\program files\0414201021202447.bat
    c:\program files\0809201021175065.bat
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-23 to 2011-03-23 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-23 02:30 . 2011-03-23 02:30 -------- d-----w- c:\documents and settings\J\Local Settings\Application Data\AVG Security Toolbar
    2011-03-22 13:40 . 2011-03-22 13:41 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-04 22:48 . 2004-08-10 11:00 456192 ----a-w- c:\windows\system32\encdec.dll
    2011-02-04 22:48 . 2004-08-10 11:00 291840 ----a-w- c:\windows\system32\sbe.dll
    2011-02-02 07:58 . 2008-10-16 04:48 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57 . 2008-10-16 04:48 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44 . 2004-08-10 11:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09 . 2004-08-10 11:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2004-08-10 11:00 1854976 ----a-w- c:\windows\system32\win32k.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot_2011-03-23_14.36.22 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-03-23 18:27 . 2011-03-23 18:27 16384 c:\windows\Temp\Perflib_Perfdata_728.dat
    + 2011-03-23 14:48 . 2011-03-23 14:48 3277312 c:\windows\Installer\17a407.msi
    + 2011-03-23 14:47 . 2011-03-23 14:47 1611776 c:\windows\Installer\17a403.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
    .
    c:\documents and settings\JoAnne\Start Menu\Programs\Startup\
    iWin Desktop Alerts.lnk - c:\documents and settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe [N/A]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
    backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^JoAnne^Start Menu^Programs^Startup^iWin Desktop Alerts.lnk]
    path=c:\documents and settings\JoAnne\Start Menu\Programs\Startup\iWin Desktop Alerts.lnk
    backup=c:\windows\pss\iWin Desktop Alerts.lnkStartup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^JoAnne^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
    path=c:\documents and settings\JoAnne\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
    backup=c:\windows\pss\RollerCoaster Tycoon 3 Registration.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    c:\windows\system32\dumprep 0 -k [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
    2005-08-05 20:56 64512 ----a-w- c:\windows\ehome\ehtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBMon]
    2005-05-19 16:54 1345520 ----a-w- c:\windows\system32\CTMBHA.DLL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
    2006-11-05 16:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
    2004-12-23 00:40 24576 ----a-w- c:\windows\MIDIDEF.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-01-11 21:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
    2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "gusvc"=3 (0x3)
    "gupdate1c9b6296af48476"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\dplaysvr.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    .
    R2 X4HS32Ex;X4HS32Ex;c:\program files\Free Ride Games\X4HS32Ex.sys [3/15/2010 11:09 AM 53280]
    R2 X4HSEx;X4HSEx;c:\program files\Free Ride Games\X4HSEx.sys [4/16/2010 6:53 PM 56352]
    S2 gupdate1c9b6296af48476;Google Update Service (gupdate1c9b6296af48476);c:\program files\Google\Update\GoogleUpdate.exe [4/5/2009 3:02 PM 133104]
    S4 SeekeenSrch Service;SeekeenSrch Service;"c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe" "c:\program files\SeekeenSrch\seekeen.dll" Service --> c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe [?]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - CFCATCHME
    *Deregistered* - CFcatchme
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-04-05 20:02]
    .
    2011-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-04-05 20:02]
    .
    2011-03-23 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
    - c:\program files\Ask.com\UpdateTask.exe [2010-05-26 20:23]
    .
    2011-03-23 c:\windows\Tasks\User_Feed_Synchronization-{D019EACA-BB13-46C6-A08A-1B23C328FB16}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    TCP: {765C18A5-C191-4DBC-8A3D-878975069E64} = 192.168.1.254
    FF - ProfilePath - c:\documents and settings\J\Application Data\Mozilla\Firefox\Profiles\645nbkj0.default\
    FF - Ext: RealArcade V3.1 Plugin: npmozax31@real.com - c:\program files\Mozilla Firefox\extensions\npmozax31@real.com
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - Ext: Seekeen: {DB390D2E-0FB4-413F-B039-AE342D1D40BA} - c:\program files\Mozilla Firefox\extensions\{DB390D2E-0FB4-413F-B039-AE342D1D40BA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{399C60D2-38B1-4E25-B9E7-6498C1BC2DCD} - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-23 13:39
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(680)
    c:\windows\system32\l3codeca.acm
    .
    Completion time: 2011-03-23 13:41:17
    ComboFix-quarantined-files.txt 2011-03-23 18:41
    ComboFix2.txt 2011-03-23 14:37
    ComboFix3.txt 2011-03-23 01:55
    .
    Pre-Run: 73,157,271,552 bytes free
    Post-Run: 73,138,380,800 bytes free
    .
    - - End Of File - - 1026AD96D9E2171A5F490801A1CB93EC
    Upload was successful

  8. #8
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Hi,

    Please download The Avenger2 by Swandog46 to your Desktop.

    • Right click on the Avenger.zip folder and select "Extract All..."
    • Follow the prompts and extract the avenger folder to your desktop


    1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

    Code:
    Begin copying here:
    
    Drivers to delete:
    SeekeenSrch Service
    
    Files to delete:
    c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe
    c:\program files\SeekeenSrch\seekeen.dll
    
    Folders to delete:
    c:\program files\SeekeenSrc
    c:\documents and settings\All Users\Application Data\SeekeenSrch
    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    2. Now, open the avenger folder and start The Avenger program by clicking on its icon.
    • Right click on the window under Input script here:, and select Paste.
    • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
    • Click on Execute
    • Answer "Yes" twice when prompted.

    3. The Avenger will automatically do the following:
    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger’s actions. This logfile will be located at C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    4. Please copy/paste the content of c:\avenger.txt into your reply.
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger’s actions. This logfile will be located at C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please copy/paste the content of c:\avenger.txt into your reply.
    -- WTT Classroom Graduate --
    -- ASAP Member --
    -- UNITE Trained Eliminator --

  9. #9
    Junior Member
    Join Date
    Mar 2011
    Posts
    10

    Default Avenger Log

    The log is below:

    Logfile of The Avenger Version 2.0, (c) by Swandog46
    http://swandog46.geekstogo.com

    Platform: Windows XP

    *******************

    Script file opened successfully.
    Script file read successfully.

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Rootkit scan active.
    No rootkits found!

    Driver "SeekeenSrch Service" deleted successfully.

    Error: file "c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe" not found!
    Deletion of file "c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
    --> the object does not exist


    Error: file "c:\program files\SeekeenSrch\seekeen.dll" not found!
    Deletion of file "c:\program files\SeekeenSrch\seekeen.dll" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
    --> the object does not exist


    Error: folder "c:\program files\SeekeenSrc" not found!
    Deletion of folder "c:\program files\SeekeenSrc" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
    --> the object does not exist

    Folder "c:\documents and settings\All Users\Application Data\SeekeenSrch" deleted successfully.

    Completed script processing.

    *******************

    Finished! Terminate.

  10. #10
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Hi,


    We are almost done. Please follow these steps:


    Step 1 | Please download CCleaner (freeware)

    • Run the installer.
    • Once installed, run CCleaner click the Windows [tab]
    • The following should be selected by default, if not, please select:

    • Next: click Options (in the left panel) and click the Advanced button.
    • Uncheck: "Only delete files in Windows Temp folders older than 24 hours."
    • Go back to Cleaner (in the left panel) and click the Run Cleaner button (bottom right). Then exit CCleaner.



    Step 2 | Please download Malwarebytes' Anti-Malware to your desktop.

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform quick scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.


    Step 2 | Let's perform an ESET Online Scan

    Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

    • Please go here then click on:
      Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
      All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
    • Select the option YES, I accept the Terms of Use then click on:
    • When prompted allow the Add-On/Active X to install.
    • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
    • Now click on Advanced Settings and select the following:
      • Scan for potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth Technology
    • Now click on:
    • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
    • When completed the Online Scan will begin automatically.
    • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
    • When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic.
    • Now click on: (Selecting Uninstall application on close if you so wish)
    -- WTT Classroom Graduate --
    -- ASAP Member --
    -- UNITE Trained Eliminator --

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •